UAT-9686

UAT-9686 is a China-linked / China-nexus advanced persistent threat (APT) actor assessed by Cisco Talos with moderate confidence to be China-affiliated. The group has been observed exploiting the Cisco AsyncOS zero-day CVE-2025-20393 against Cisco Secure Email Gateway (SEG) and Cisco Secure Email and Web Manager (SEWM/SMA) appliances, with activity reported since at least late November 2025 and exploitation confirmed by December 10, 2025. The campaign targeted internet-exposed appliances with Spam Quarantine enabled, and reporting describes the activity as a sophisticated espionage operation. Cisco Talos linked UAT-9686 to deployment of a custom persistence mechanism/backdoor called AquaShell, a lightweight Python backdoor embedded in Cisco AsyncOS web server files that receives encoded commands via unauthenticated HTTP POST requests and executes them in the system shell. Associated tooling used in the campaign includes AquaTunnel / ReverseSSH for reverse SSH tunneling, Chisel for HTTP-based tunneling and internal pivoting, and AquaPurge for log clearing and anti-forensics. Reporting also notes use of tunneling tools and a Python backdoor, as well as log purging and persistence installation on compromised appliances. Cisco Talos stated that the group’s tooling, infrastructure, and TTPs overlap with known Chinese groups including APT41 and UNC5174, and that AquaTunnel and related tools have previously been linked to those Chinese state-backed groups. The provided content does not state that UAT-9686 is the same actor as APT41 or UNC5174, only that there is overlap. No additional aliases or sub-groups are provided beyond UAT-9686.